P
US11206144B2ActiveUtilityPatentIndex 50

Establishing a security association and authentication to secure communication between an initiator and a responder

Assignee: IBMPriority: Sep 11, 2019Filed: Sep 11, 2019Granted: Dec 21, 2021
Est. expirySep 11, 2039(~13.2 yrs left)· nominal 20-yr term from priority
Inventors:HATHORN ROGER GDRIEVER PATRICIA GCOLONNA CHRISTOPHER JZEE MOOHENGWELSH MIKEL WILLIAMSCZEPCZENSKI RICHARD MARKFLANAGAN JOHN R
H04L 63/0869H04L 9/3297H04L 9/3273H04L 9/0891H04L 63/068H04L 9/3242
50
PatentIndex Score
0
Cited by
117
References
25
Claims

Abstract

Provided are a computer program product, system and method embodiments for secure communication between an initiator and a responder over a network. The responder receives, from the initiator, a security association initialization message to establish a security association with the responder including key material used to generate a key for the security association. The responder receives an authentication message from the initiator to program the responder to establish authentication between the responder and the initiator after establishing the security association. The responder sends an authentication message response to the initiator to establish authentication with the responder in response to the authentication message. The responder sends an authentication done message to the initiator after sending the authentication message response to cause the initiator to activate using the security association and the key to encrypt and decrypt communication between the responder and initiator.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer program product for secure communication between an initiator and a responder over a network, the computer program product comprising a computer readable storage medium having computer readable program code implemented at the responder that when executed performs operations, the operations comprising:
 receiving, from the initiator, a security association initialization message to establish a security association with the responder including key material used to generate a key for the security association; 
 receiving an authentication message from the initiator to program the responder to establish authentication between the responder and the initiator after establishing the security association; 
 sending an authentication message response to the initiator to establish authentication with the responder in response to the authentication message; and 
 sending an authentication done message to the initiator after sending the authentication message response to cause the initiator to activate using the security association and the key to encrypt and decrypt communication between the responder and initiator. 
 
     
     
       2. The computer program product of  claim 1 , wherein the operations further comprise:
 receiving an accept message from the initiator in response to the authentication done message, wherein the security association and generated key for the security association are activated to use for communication before sending the authentication done message, wherein authentication is established between the initiator and the responder in response to receiving the accept message. 
 
     
     
       3. The computer program product of  claim 2 , wherein the accept message comprises a second accept message, wherein the operations further comprise:
 receiving a first accept message from the initiator in response to the authentication message response; and 
 activating the security association to use a key for the security association to encrypt and decrypt messages for the initiator in response to the first accept message, wherein the authentication done message is sent after receiving the first accept message. 
 
     
     
       4. The computer program product of  claim 1 , wherein the initiator comprises a host system and the responder comprises a storage controller providing the host system access to storage resources, and wherein the security association and authentication are established for an initiator port at the host system and a responder port at the storage controller. 
     
     
       5. A computer program product for secure communication between an initiator and a responder over a network, the computer program product comprising a computer readable storage medium having computer readable program code implemented at the responder that when executed performs operations, the operations comprising:
 maintaining a first security association with the initiator having a first key to use to encrypt and decrypt messages transmitted with the initiator; 
 performing a rekey operation to establish a second security association with the initiator using a second key; 
 queuing Input/Output (I/O) for transmission using the second key after completing the rekey operation; 
 in response to activating the second security association to use for transmission, starting an invalidate timer, wherein both the first and the second keys can be used for transmissions with the initiator before the invalidate timer expires after starting; and 
 invalidating the first security association in response to expiration of the invalidate timer. 
 
     
     
       6. The computer program product of  claim 5 , wherein the operations further comprise:
 receiving a security association initialization message from the initiator to accept the second security association, including key material used to generate the second key for the second security association; 
 receiving an authentication message from the initiator to establish authentication between the responder and the initiator after the security association initialization message; and 
 sending an authentication response message to the initiator after authenticating the initiator in response to the authentication message. 
 
     
     
       7. The computer program product of  claim 6 , wherein the operations further comprise:
 sending an authentication done message to the initiator after sending the authentication response message, wherein the authentication done message causes the initiator to activate the second security association to use the second key to encrypt and decrypt communication and to start an invalidate timer at the initiator to invalidate the first security association at the initiator in response to expiration of the invalidate timer at the initiator. 
 
     
     
       8. The computer program product of  claim 6 , wherein the operations further comprise:
 programing the second security association at the responder in response to the authentication message from the initiator, wherein the authentication response message is sent to the initiator after programming the second security association at the responder. 
 
     
     
       9. The computer program product of  claim 6 , wherein the operations further comprise:
 sending an authentication message response to the initiator including a responder identity in response to the authentication message received from the initiator; and 
 receiving an accept message from the initiator in response to the authentication message response; and 
 in response to the accept message, activating the second security association to use for transmissions and activate an invalidate timer at the responder to invalidate the first security association in response to the invalidate timer expiring. 
 
     
     
       10. The computer program product of  claim 9 , wherein an invalidate timer for the initiator is started after the invalidate timer for the responder is started. 
     
     
       11. A system for secure communication between an initiator and a responder over a network, comprising:
 a processor: 
 a computer readable storage medium having computer readable program code implemented at the responder that when executed performs operations, the operations comprising:
 receiving, from the initiator, a security association initialization message to establish a security association with the responder including key material used to generate a key for the security association; 
 receiving an authentication message from the initiator to program the responder to establish authentication between the responder and the initiator after establishing the security association; 
 sending an authentication message response to the initiator to establish authentication with the responder in response to the authentication message; and 
 sending an authentication done message to the initiator after sending the authentication message response to cause the initiator to activate using the security association and the key to encrypt and decrypt communication between the responder and initiator. 
 
 
     
     
       12. The system of  claim 11 , wherein the operations further comprise:
 receiving an accept message from the initiator in response to the authentication done message, wherein the security association and generated key for the security association are activated to use for communication before sending the authentication done message, wherein authentication is established between the initiator and the responder in response to receiving the accept message. 
 
     
     
       13. The system of  claim 12 , wherein the accept message comprises a second accept message, wherein the operations further comprise:
 receiving a first accept message from the initiator in response to the authentication message response; and 
 activating the security association to use a key for the security association to encrypt and decrypt messages for the initiator in response to the first accept message, wherein the authentication done message is sent after receiving the first accept message. 
 
     
     
       14. The system of  claim 11 , wherein the initiator comprises a host system and the responder comprises a storage controller providing the host system access to storage resources, and wherein the security association and authentication are established for an initiator port at the host system and a responder port at the storage controller. 
     
     
       15. A system for secure communication between an initiator and a responder over a network, comprising:
 a processor: 
 a computer readable storage medium having computer readable program code implemented at the responder that when executed performs operations, the operations comprising:
 maintaining a first security association with the initiator having a first key to use to encrypt and decrypt messages transmitted with the initiator; 
 performing a rekey operation to establish a second security association with the initiator using a second key; 
 queuing Input/Output (I/O) for transmission using the second key after completing the rekey operation; 
 in response to activating the second security association to use for transmission, starting an invalidate timer, wherein both the first and the second keys can be used for transmissions with the initiator before the invalidate timer expires after starting; and 
 invalidating the first security association in response to expiration of the invalidate timer. 
 
 
     
     
       16. The system of  claim 15 , wherein the operations further comprise:
 receiving a security association initialization message from the initiator to accept the second security association, including key material used to generate the second key for the second security association; 
 receiving an authentication message from the initiator to establish authentication between the responder and the initiator after the security association initialization message; and 
 sending an authentication response message to the initiator after authenticating the initiator in response to the authentication message. 
 
     
     
       17. The system of  claim 16 , wherein the operations further comprise:
 sending an authentication done message to the initiator after sending the authentication response message, wherein the authentication done message causes the initiator to activate the second security association to use the second key to encrypt and decrypt communication and to start an invalidate timer at the initiator to invalidate the first security association at the initiator in response to expiration of the invalidate timer at the initiator. 
 
     
     
       18. The system of  claim 16 , wherein the operations further comprise:
 programing the second security association at the responder in response to the authentication message from the initiator, wherein the authentication response message is sent to the initiator after programming the second security association at the responder. 
 
     
     
       19. The system of  claim 16 , wherein the operations further comprise:
 sending an authentication message response to the initiator including a responder identity in response to the authentication message received from the initiator; and 
 receiving an accept message from the initiator in response to the authentication message response; and 
 in response to the accept message, activating the second security association to use for transmissions and activate an invalidate timer at the responder to invalidate the first security association in response to the invalidate timer expiring. 
 
     
     
       20. The system of  claim 19 , wherein an invalidate timer for the initiator is started after the invalidate timer for the responder is started. 
     
     
       21. A method for secure communication between an initiator and a responder over a network, comprising:
 maintaining, by the responder, a first security association with the initiator having a first key to use to encrypt and decrypt messages transmitted with the initiator; 
 performing, by the responder, a rekey operation to establish a second security association with the initiator using a second key; 
 queuing, by the responder, Input/Output (I/O) for transmission using the second key after completing the rekey operation; 
 in response to activating the second security association to use for transmission, starting, by the responder, an invalidate timer, wherein both the first and the second keys can be used for transmissions with the initiator before the invalidate timer expires after starting; and 
 invalidating, by the responder, the first security association in response to expiration of the invalidate timer. 
 
     
     
       22. The method of  claim 21 , further comprising:
 receiving, by the responder, a security association initialization message from the initiator to accept the second security association, including key material used to generate the second key for the second security association; 
 receiving, by the responder, an authentication message from the initiator to establish authentication between the responder and the initiator after the security association initialization message; and 
 sending, by the responder, an authentication response message to the initiator after authenticating the initiator in response to the authentication message. 
 
     
     
       23. The method of  claim 22 , further comprising:
 sending, by the responder, an authentication done message to the initiator after sending the authentication response message, wherein the authentication done message causes the initiator to activate the second security association to use the second key to encrypt and decrypt communication and to start an invalidate timer at the initiator to invalidate the first security association at the initiator in response to expiration of the invalidate timer at the initiator. 
 
     
     
       24. The method of  claim 22 , further comprising:
 programing, by the responder, the second security association at the responder in response to the authentication message from the initiator, wherein the authentication response message is sent to the initiator after programming the second security association at the responder. 
 
     
     
       25. The method of  claim 22 , further comprising:
 sending, by the responder, an authentication message response to the initiator including a responder identity in response to the authentication message received from the initiator; and 
 receiving, by the responder, an accept message from the initiator in response to the authentication message response; and 
 in response to the accept message, activating, by the responder, the second security association to use for transmissions and activate an invalidate timer at the responder to invalidate the first security association in response to the invalidate timer expiring.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.